Our primary domain controler is running Server 2008. We also have DC's running Server 2003.We have batch files that use netshto create and export IPSec policies for use on individual machines and for Group Policy. The policies are not using IKE or any type of encryption, but are used as ACL's to block/allow certain IP address, portsand protocols. We use the same policy on all DC's. When the policy isassigned on the new 2008 DC, name resolutions stops for the server. Workstations can resolve names against the server, but the server can't resolve anything itself. If I try to do an nslookup on the server, it times out.And our users can't access the DFS shares. Before we upgraded to Server 2008 the policy worked(and still works) on the Server 2003 DC's. Does Server 2008 do something differently than the 2003's?

Hi, How did you configure the DNS settings on clients and Windows Server 2008? Please also let us know more about your detailed IPSec settings. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

DNS on the clients are set to use theDC's and theDC with the problems is the primary (I've tried switching them around with no luck.) On the DC, I have tried setting the DNS to both the assigned IP address of the DCand to 127.0.0.1 as well as to the other DC's with no luck.We are using IPSec as a firewall. I have a batch file that uses netsh to set the ipsec properties. I realize that this is not the best practice, but what my department insists upon. Basicaly I block everything coming and going. I then open up ports needed such as 80, 81, 53, 25...etc. I also open up everything between servers, and everything between server and workstation. To verify that it was not a conflict with the IPSec process itself, I created a simple policy with 2 rules. Allow everything in, and allow everything out (which worked.) I've used this same policy for over a year now, modifying it occasionaly to add or remove an IP address,and it has worked on all of the 2003 DC's. It wasn't until we added the 2008 DC, that I ran into this problem.I am working now setting up a batch file that will use the advanced firewall instead of ipsec just to see if there is any differnece.